Man looking at computer screen showing a graph

Security risk quantification empowers business decisions


7 min read

Executive summary

When enterprise leaders discovered no single procedure could fully resolve IT security issues for their organizations, their next best alternative was to minimize risk acceptably. As security was considered unmanageable to measure in financial terms, some C-suite executives considered security risk in highly subjective terms.

Other executives relied on third-party vendors providing risk ratings, vulnerability scans and internet surface scans to assess their security. These activities provide valuable qualitative measures of security risk; however, they can be enhanced in their effectiveness. Specifically, they don’t address the different and often competing priorities for those leaders making decisions involving security risk for their businesses.

When handling security issues for an enterprise, the following questions occur first to people in these positions:

Image ALT


How do I build a business case about this risk?

Image ALT


What’s the overall ROI for the enterprise?

Image ALT


Are we addressing vulnerabilities and threats?

Image ALT

Board executives

How can we avoid becoming the next headline?

Executive board members’ concerns focus on how a security event can disrupt their company from manufacturing, marketing and selling goods and thus generate bad publicity. These members seek to minimize the risk of such an instance from happening, but they often lack the information needed to determine an appropriate course of future action within their budgets.

CEOs and board executives need the critical ability to connect security risk management with their overall business strategy. By quantifying security risk into dollar amounts, executive board members get a better understanding of what potential financial impacts their organizations face without taking corrective actions.

To be most effective in spending intelligently to reduce risks, consideration of security risk needs to be considered up front when making any changes. Security risk quantification fulfills this need for all parties, including CIOs, CFOs, CISOs and board executives, by communicating priorities and increasing collaboration with the C-suite.

With security risk quantification, CIOs can understand the likelihood and potential frequency of an event occurring based on threats, the value of assets that are jeopardized and the cost of the impact. CFOs can compare the value and impact of various mitigation strategies by providing a comparison of costs and expected risk reduction and using those metrics to show ROI for security projects.

CISOs can convey strategy and technical requirements to the C-suite in language everyone understands. Security risk quantification makes security strategy consumable to upper management including board executives for buy-in. Board executives also learn in estimated dollar amounts the financial loss awaiting their business if they fail to implement recommended security controls.

Security risk quantification helps unite board executives, CIOs, CFOs and CISOs on security.”

IBM® Security Risk Quantification Services creates risk assessments to help clients identify, prioritize and quantify security risk as they weigh decisions such as deploying new technologies, making investments in their business and changing processes. By using the actual data an organization has and leveraging IBM’s threat intelligence data, Security Risk Quantification provides insights about the financial impacts of security risk. Clients receive an extra level of clarity and understanding on how to reduce overall risk by quantifying security risk into financial terms. By quantifying security risk into financial terms, clients receive an extra level of clarity and understanding on how to reduce overall risk.

By properly implementing Security Risk Quantification, executive board members can achieve the following tasks:

  • Understand the true monetary impact of potential threats
  • Prioritize security risks in a contextually relevant manner and convey the return on security investment to the business
  • Improve operational decision support
  • Enable strategic decision support with risk aggregation
  • Make better, more complicated decisions in less time under conditions of uncertainty


3 min read

Integrating a risk-based approach

A risk-based approach to manage security helps in today’s complex business and threat environment. The best security risk management provides efficiency and effectiveness for executives of an organization.

Security risk quantification can help those executives focus on those areas of the organization they believe are higher risks and prioritize improvements. Neither of these tasks can be achieved through the maturity-based security programs which can become outdated and are no longer adequate for combatting risks.1 Instead, a risk-based approach addresses these issues by emphasizing finding, measuring and ranking security risks and implementing targeted spending.

Make business decisions using a risk-based approach.”

Enterprise officials need to be aware and committed with information security risks to make better decisions. Additionally, executives need to make sure their business objectives align with their strategy for security investments.

Those reasons are why a risk-based approach such as security risk quantification is critical to use for strategy and planning. Security risk quantification should be incorporated into comprehensive risk management programs. After performing security risk quantification, users can define their recommendations and response controls to those identified risks.

Most executives know they need to address security risk. With attackers employing more and newer techniques and tools, security risk is at the top of many corporate risk agendas. Informed business decision-making enables security leaders to translate risk into dollar amounts to deliver a cost benefit analysis that provides non-security leadership with the possible cost impact of risk. At the same time, this process translates security investments or remediation strategies into a business case and ROI.

Respondents ranking security
risk as a top concern2

At the same time, only half of enterprise leaders are using security risk quantification to optimize their ROI on security investments.

C-level executives who
use risk quantification
tools for security
investment decisions3

Clearly, more executives can and should be investing in security risk quantification to resolve this discrepancy. Here are some reasons why.

1 The risk-based approach to cybersecurity, McKinsey & Company, 8 October 2019.


3 min read

Security risk quantification and pain points

As information security risks increase and change, pain points evolve and proliferate for organization leaders interested in implementing security risk management. The pain points include the following considerations:

  • Business officials lack a consensus on their top ten information security risks due to subjectivity.
  • Executive boards, CEOs, CFOs, CIOs and CISOs all view and security risks from their own perspectives.
  • No common language exists for evaluating security risk among enterprise leaders.
  • Officials often lack solid information needed to make better decisions, including regarding risk identification, risk assessment and risk treatment.
  • Misalignment can occur between security strategy and business strategy.
  • No method exists to trace the amount of risks, which means auditing the process or reperforming calculations is impossible.

The good news is risk quantification addresses all these pain points.”

Security risk quantification empowers CISOs and CSOs to present executive boards with a cost-benefit approach and options to take regarding security risk described in concrete business terms. Armed with this knowledge, executive board members can make informed decisions on how much risk they are willing to take which the CISOs and CSOs can execute. With security risk quantification, CISOs and CSOs transform from being caretakers of security options viewed as slowing down and hurting a business to being a partner in choosing mitigation services. The process promotes collaboration and cohesion among all parties.

Security risk quantification also helps provide a clear strategy and roadmap for both security teams and business leaders to implement their zero trust projects. By showing the biggest security impacts for a business, risk qualification can flag risks and liabilities needing to be resolved before implementing a zero trust strategy. With that knowledge in advance, zero trust projects can follow through to insulate a business from anticipated and unexpected risks by requiring validation and authorization for all connections.

The end result is enterprise executives get assurance on the security risk from both technical and business perspectives by putting a number to that risk. Executives get a common language to take the actions necessary to help mitigate security threats to their organizations. Additionally, executives get a strategic view of risk management and better understand the potential reputational damage, regulatory liability and business disruption of their security threats. Ultimately, security becomes an enabler of the business rather than a cost center.


11 min read

Common client use cases

While many functions of an organization can benefit from the use of security risk quantification, the collection and analysis of data is particularly helpful when conducting certain processes.

Quantification of security investment aids the decision-making process.”
Migration to cloud

Migration to cloud

For many organization leaders going to more resilient and agile business models to curb expenses and reduce costs, acceleration to the cloud is part of their transformation. However, trying to secure this journey to cloud can create new security risks for an enterprise, as new potential vulnerable facets exist. The following risks can occur:

  • Architectural complexity
  • Poor application selection
  • Application dependencies
  • Unwanted latency
  • Security considerations1

Misconfigured clouds were a leading cause of breaches. Alongside stolen or compromised credentials, misconfigured cloud servers tied for the most frequent initial threat vector in breaches caused by malicious attacks, at 19%. Breaches due to cloud misconfigurations resulted in the average cost of a breach increasing by more than half a million dollars.2


Average cost of a breach due to cloud misconfigurations


Cloud misconfiguration impact on average total cost of data breach

Security complexity and cloud migration cost companies most. Undergoing an extensive cloud migration at the time of the breach increased the average cost of a breach by more than $267,000, to an adjusted average cost of $4.13 million.


Undergoing cloud migration impact on average total cost of data breach

A sound security risk quantification program can uncover these risks and estimate how much they can cost if they occur when migrating to the cloud. Using security risk quantification helps in using objective metrics for a programmatic approach of migration cloud decision-making.

Third-party management

Third-party management

When using third-party vendors, many considerations regarding security can arise, include maintaining data privacy and regulatory compliance as part of the business arrangement. The potential risks apply regardless if the third party is under contract to an organization.

For example, this consideration especially applies to national banks and federal savings associations operating in the United States. The Office of the Comptroller of the Currency (OCC) expects a bank to practice effective risk management regardless of whether the bank performs the activity internally or through a third party. A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.

A majority of malicious breaches were caused by compromised credentials, cloud misconfiguration or a third-party software vulnerability. Third-party software vulnerability was the initial threat vector in 16% of malicious breaches, which was the third highest in threat vectors.6

The OCC makes the following recommendations for banks to observe:

  • Adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.
  • Ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
  • Have an effective risk management process throughout the life cycle of the third-party relationship.7

Besides financial services, leaders of all industries should have security considerations driving their third-party management. Qualifying the risk through questionnaires and risk scoring often produces findings that are incredibly technical and complicated. Quantifying these findings to measure against risk appetite and risk tolerance is challenging, especially in communicating to stakeholders the reasons for these conclusions.

Instead, developing and implementing comprehensive security strategies for information protection and privacy while staying under budget requires security risk quantification. By continuously managing and updating security risk quantification and third-party risk assessment, organizations can comply with regulations while avoiding unexpected expenses.

Mergers and acquisitions

Mergers and acquisitions

Mergers, acquisitions, divestitures and other changing business priorities can increase an organization’s security risk considerably. Security breaches can occur in recently added companies, as the acquirer absorbs virtually any exposure to security risks associated with the target’s applications and information systems.

The potential liabilities from security breaches can be enormous. Lawsuits and noncompliance implications can negate the acquired company’s value. Depending on business size and criticality of vulnerabilities discovered before, during, or after an M&A deal, up to hundreds of millions of US dollars are at stake. Potentially more incalculable damage can occur from loss of customers and reputation.

Security risk quantification helps identify the costs of gaps which should be priced into the deal. Under security risk quantification, participants conduct a detailed cost of acquisition evaluation, including aligning security for base services such as email and file sharing and more complex services. This process assesses the cost associated for mitigations and possible integration of services and helps to create an overall security risk view. The consolidated key findings and observations from the due-diligence assessments can document gaps from the target operating model and develop recommendation plans for resolution.

The IBM Institute for Business Value (IBV), in cooperation with Oxford Economics, surveyed 720 executives about M&A from organizations across the electronics, chemicals and petroleum, and healthcare and life sciences industries in 2019. Respondents came from 18 different countries as well. The following results emerged from the survey:8


Total annual revenue executives spent on the M&A process alone


Percentage of respondents who cited security concerns (risk to great) as one of the top three reasons for decisions not to proceed with M&A deals


Percentage of respondents who cited compliance issues


Percentage of respondents who cited focus on security during due diligence and integration as one of their top three M&A success factors


Percentage of respondents who cited insufficient focus on security during due diligence and integration as one of their top three M&A challenges


Percentage of respondents who have experienced a data breach that can be attributed to M&A activity during integration


Percentage of respondents who have experienced a data breach that can be attributed to M&A activity post integration


Percentage of respondents whose companies perform a security assessment after due diligence is complete

These findings indicate more than half of executives surveyed have experienced compliance issues and a data breach that can be attributed to M&A activity. The need for enterprise leaders to implement top security risk quantification to prevent such instances is evident.

4 Cloud Migration Risks, IBM Cloud, n.d.
5 Cost of a Data Breach 2020, IBM Security, 2020.
6 Cost of a Data Breach 2020, IBM Security, 2020.
7 Third-Party Relationships: Risk Management Guidance, OCC Bulletin 2013-29, Oct. 30, 2013


6 min read

Using the FAIR approach to quantify risk

One globally recognized security risk quantification methodology is the Factor Analysis of Information Risk (FAIR™). Security risk quantification models such as FAIR lets companies manage security risk with a business perspective and assess the financial impact of security measures using data-driven approaches. The Open Group, a technology standards consortium sponsored by more than 500 organizations including IBM, developed FAIR as an international standard quantitative model for defining and quantifying security and operational risk.

IBM bases its security risk quantification methodology on FAIR. Consultants from IBM engage with the organization’s business executives to perform the risk assessments built on specific scenarios and aligned with the organization’s threat and asset repository, then receives modelling support from the RiskLens® software platform. Using a Software as a Service (SaaS) platform enables IBM Security™ experts to perform statistical modeling amid the uncertainty of future outcomes. The possible loss ranges with the probabilities estimates helps organization leaders prepare better to address the security risk by implementing recommended remediation actions. IBM further assists the organization with developing and sustaining a programmatic approach to adopt FAIR methodology tailored to the organization’s risk profile.

RiskLoss frequencyThreat event frequencyProbabilityof actionVulnerabilityLoss magnitudeThreatcapabilityResistancestrengthPrimary lossSecondary lossLossfrequencyLossmagnitude

This security risk quantification expresses potential future losses in financial terms through scenario preparation. Experts evaluate one or more risk scenarios based on these three elements specified in advance of an analysis.



An asset is any element of value organization leaders seek to protect, such as the following items:

– Database full of sensitive data
– Systems or applications
– A physical facility
– Employees
– Supplier relationships
– Financial instruments, including cash, savings and investments



A threat is an agent that can act against the asset and result in loss to the organization, such as the following items:

– Lone hacker
– Organized criminal group
– Rogue employee
– Earthquake
– Failing hard drive
– Software with bugs
– Self-propagating malicious code



An effect is the loss resulting from a successful action of the threat against the asset, such as the following items:

– Confidentiality
– Integrity
– Availability
– Personal injury
– Physical property damage

In scenario preparation, if the threat were to successfully act on the asset to produce the effect, the organization would experience financial loss. Security risk quantification would determine the parameters of the loss.

A sample risk scenario is “What is the risk associated with loss of confidentiality of HR system data caused by external malicious actor through a phishing attack?” IBM Security team members would show projected average annualized loss exposure both with and without encryption as comparable security risk quantification scenarios.

Aggregation of risk can be done by aggregating individual analyses of assets, threats and effects.”

IBM Security experts help triage the existing risk registers, assets and threat catalogues to identify the possible risk scenarios. The preparation helps in establishing a common risk language and agreeing on measurable financial metrics to perform risk rank and identify the security investments to meet the organization’s risk appetite.

IBM can provide consultation and advice to executives on reducing and managing IT security risks found through risk assessment. Risk assessment based on multiple scenarios can be combined to produce a larger, aggregated view of overall risk for an organization.

IBM can build a security risk quantification program and help clients institutionalize security risk quantification throughout the organization. Quantifying risk should not be one scenario at one point in time, but rather an ongoing new way of measuring and communicating risk.


4 min read

Moving to a risk-based approach

Security risk quantification offers a business approach to security for enterprise executives. Adopting a quantitative risk-based approach better equips organizations to focus their investments, address critical skill gaps, determine whether their control frameworks are effective and provide for business justification for their security spend. This move results in actual risk reduction as the goal and focuses investments on the organization’s top priorities.

By quantifying the risks, the C-suite can understand the actual costs of exposures and the expected loss if those risks materialize. More fundamentally, CFOs, CISOs, CIOs and chief risk officers (CROs) can provide board executives with data-based answers to the following concerns:

  • What are our top risks? Have we quantified and identified the degree of uncertainty with respect to threats materializing?
  • What’s the material impact if the risk event occurs?
  • What’s the expected loss, given our current residual risk?
  • What’s the likelihood of a risk event occurring?
  • What’s the data-based business justification for managing those risks?

IBM Security Risk Quantification uses expert knowledge from security, risk management and statistical modelling to measure an organization’s security risk exposure based on the impact of potential attacks and the organizational control’s ability to prevent them.

IBM adds value to organizations addressing their security risk exposure.”

Security Risk Quantification can provide a directional view around the level of risk for an organization. The process can help organizations achieve the following tasks:

  • Bring business alignment on the organization’s top risks and associate a dollar value for risk
  • Make informed decisions about security investments and measure security ROI
  • Develop a sustainable security risk quantification program and help manage the program

Expert security consultants from IBM are knowledgeable in knowing and applying the latest industry-leading threat intelligence and technical and investigative skills. With Security Risk Quantification, enterprise executives can address their pain points and be more secure in knowing what ROI they can expect from prioritizing their risk exposures.

Additionally, IBM can include data from Cost of a Data Breach research in the security risk quantification modelling. The annual X-Force® Threat Intelligence Index from IBM offers research that can also be leveraged when building a security risk quantification program for organizations.


2 min read


Quantifying your security risk into financial terms is essential for effective enterprise planning. To achieve this outcome, you need to connect security risk management with your overall business strategy by integrating security intelligence into quantified business risks and metrics.

Experts from IBM Security Strategy, Risk and Compliance have a deep understanding of information security and information security risks. Security Risk Quantification from IBM offers C-level executives a holistic approach for data collection and analysis using services experts experienced in enterprise risk management, regulatory risks and related areas.

Let our Security Risk Quantification experts work with your organization’s IT and security professionals so you can achieve the following tasks for your organization:

  • Empower business decision-making
  • Connect security to the business
  • Empower CISOs to communicate security as a business problem
  • Understand the true monetary impact of potential threats
  • Prioritize security risks in a contextually relevant manner
  • Convey the return on security investment to the business
  • Improve operational decision support
  • Enable strategic decision support with risk aggregation
  • Make better, more complicated decisions in less time under conditions of uncertainty

Learn more about IBM Security Risk Quantification Services and what it can do for your organization.

Read more